The FDA says Hospira is aware of the cybersecurity weaknesses with the Symbiq Infusion System, and has recommended hospitals stop using them and switch to alternative infusion systems. The agency said it was not aware “of any patient adverse events or unauthorized access of a Symbiq Infusion System in a health care setting.”

Hospira has stopped manufacturing and distributing the Symbiq Infusion System, which was “due to unrelated issues,” according to the FDA. However, many of them are still available for purchase through medical supply companies. The FDA advised health care facilities to avoid purchasing the pumps from these third parties.

In addition, Rios said he has found similar vulnerabilities in other pumps made by Hospira. The company’s PCA LifeCare pumps; PCA3 LifeCare and PCA5 LifeCare pumps; and its Plum A+ model of pumps are all able to be accessed by hackers, according to Wired.

Rios told Wired that the communications modules used with the pumps allow updates to the machines’ firmware. “And if you can update the firmware on the main board, you can make the pump do whatever you like,” Rios said.

Nor would a hacker need physical access to the pump to change the programming. “You can talk to that communication module over the network or over a wireless network,” Rios said.